Isifundo esifutshane malunga nendlela onokuyisebenzisa ngayo i-Keycloak ukuqhagamshela i-Kubernetes kwiseva yakho ye-LDAP kwaye uqwalasele ukungeniswa kwabasebenzisi kunye namaqela. Oku kuya kukuvumela ukuba uqwalasele i-RBAC yabasebenzisi bakho kwaye usebenzise i-auth-proxy ukukhusela i-Kubernetes Dashboard kunye nezinye izicelo ezingakwaziyo ukuziqinisekisa.
Ufakelo lwe-keycloak
Makhe sicinge ukuba sele unayo iseva ye-LDAP. Oku kunokuba yi-Active Directory, FreeIPA, OpenLDAP okanye nantoni na eyenye. Ukuba awunayo iseva ye-LDAP, ngoko umgaqo unokwenza abasebenzisi ngokuthe ngqo kwi-interface ye-Keycloak, okanye usebenzise ababoneleli be-oidc yoluntu (i-Google, i-Github, i-Gitlab), umphumo uya kuba phantse ufana.
Okokuqala, masifake i-Keycloak ngokwayo.Ufakelo lunokwenziwa ngokwahlukileyo okanye ngokuthe ngqo kwiqela le-Kubernetes.Njengomthetho, ukuba unamaqela amaninzi e-Kubernetes, kuya kuba lula ukuyifaka ngokwahlukileyo. Kwelinye icala ungasoloko usebenzisa
Ukugcina idatha ye-Keycloak uya kufuna i-database. Ukuhlala kukho h2
(yonke idatha igcinwa kwindawo), kodwa kuyenzeka ukuba isetyenziswe postgres
, mysql
okanye mariadb
.
Ukuba usagqiba ukufaka i-Keycloak ngokwahlukileyo, uya kufumana imiyalelo eneenkcukacha ngakumbi
Ukusekwa komanyano
Okokuqala, makhe senze indawo entsha. I-Realm yindawo yesicelo sethu. Isicelo ngasinye sinokuba nommandla waso kunye nabasebenzisi abahlukeneyo kunye nezicwangciso zogunyaziso. I-Master realm isetyenziswe yi-Keycloak ngokwayo kwaye ayilunganga ukuyisebenzisela nayiphi na enye into.
Push Yongeza indawo
option
ixabiso
igama
kubernetes
Igama elibonisiwe
Kubernetes
Igama lokuBonisa le-HTML
<img src="https://kubernetes.io/images/nav_logo.svg" width="400" >
I-Kubernetes ijonga ngokungagqibekanga ukuba i-imeyile yomsebenzisi iqinisekisiwe na okanye hayi. Kuba sisebenzisa eyethu iseva ye-LDAP, oku kukhangela kuya kuhlala kubuya rhoqo false
. Masivale olu khetho lokumelwa kwi-Kubernetes:
Imida yomthengi -> Imeyli -> Iimephu -> I-imeyile iqinisekisiwe (Cima)
Ngoku makhe simisele umanyano; ukwenza oku, yiya ku:
Umanyano lwabasebenzisi -> Yongeza umboneleli... -> ldap
Nanku umzekelo woseto lweFreeIPA:
option
ixabiso
Igama lokuBonisa iConsole
freeipa.example.org
Umthengisi
Red Hat Directory Server
Uphawu loyelelwano lwe-UUID LDAP
ipauniqueid
I-URL yoQhagamshelwano
ldaps://freeipa.example.org
Abasebenzisi DN
cn=users,cn=accounts,dc=example,dc=org
Bopha i-DN
uid=keycloak-svc,cn=users,cn=accounts,dc=example,dc=org
Bopha ubuNgcaciso
<password>
Vumela uqinisekiso lweKerberos:
on
Indawo yaseKerberos:
EXAMPLE.ORG
Inqununu yeseva:
HTTP/[email protected]
Isitshixo seTab:
/etc/krb5.keytab
Umsebenzisi keycloak-svc
kufuneka yenziwe kwangaphambili kwiseva yethu ye-LDAP.
Kwimeko ye-Active Directory, kufuneka ukhethe Umthengisi: Uvimba weefayili osebenzayo kwaye useto oluyimfuneko luya kufakwa kwifom ngokuzenzekelayo.
Push Gcina
Ngoku masiqhubele phambili:
Umanyano lwabasebenzisi -> freeipa.example.org -> Iimephu -> Igama lokuqala
option
ixabiso
Ldap uphawu
givenName
Ngoku masenze imephu yeqela isebenze:
Umanyano lwabasebenzisi -> freeipa.example.org -> Iimephu -> dala
option
ixabiso
igama
groups
Uhlobo lwemaphu
group-ldap-mapper
Amaqela e-LDAP DN
cn=groups,cn=accounts,dc=example,dc=org
Amaqela Abasebenzisi Fumana Isicwangciso
GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE
Ngoku ekubeni ulungelelwaniso lomanyano lugqityiwe, masiqhubele phambili siseta umxhasi.
Ukuseta umxumi
Masenze umxhasi omtsha (isicelo esiya kufumana abasebenzisi kwi-Keycloak). Masiqhubele phambili:
Abaxhasi -> dala
option
ixabiso
Isazisi saBaxumi
kubernetes
Uhlobo loFikelelo
confidenrial
Ingcambu ye-URL
http://kubernetes.example.org/
I-URIs yokuqondisa ngokutsha esebenzayo
http://kubernetes.example.org/*
Umlawuli we-URL
http://kubernetes.example.org/
Masidale kwakhona umda wamaqela:
Imiba yoMxumi -> dala
option
ixabiso
template
No template
igama
groups
Indlela yeqela epheleleyo
false
Kwaye ubamisele imaphu:
Imiba yoMxumi -> amaqela -> Iimephu -> dala
option
ixabiso
igama
groups
Uhlobo lweMaphu
Group membership
Igama lebango lomqondiso
groups
Ngoku kufuneka senze iqela lemephu lisebenze kumda wabathengi bethu:
Abaxhasi -> Kubernetes -> Imiba yoMxumi -> Imida yoMxumi eMiselweyo
Khetha amaqela Π² Imida yoMxumi ekhoyo, cinezela Yongeza ekhethiweyo
Ngoku makhe siqwalasele ukuqinisekiswa kwesicelo sethu, yiya ku:
Abaxhasi -> Kubernetes
option
ixabiso
Ugunyaziso lunikwe amandla
ON
Masicinezele ugcine kwaye ngolu cwangciso lugqityiwe, ngoku kwisithuba
Abaxhasi -> Kubernetes -> Iziqinisekiso
ungafumana imfihlelo esiza kuyisebenzisa ngakumbi.
Ukuqwalasela iKubernetes
Ukumisela i-Kubernetes yogunyaziso lwe-OIDC yinto encinci kwaye ayinzima kakhulu. Okufuneka ukwenze kukubeka isatifikethi se-CA seseva yakho ye-OIDC ngaphakathi /etc/kubernetes/pki/oidc-ca.pem
kwaye yongeza iinketho eziyimfuneko ze kube-apiserver.
Ukwenza oku, hlaziya /etc/kubernetes/manifests/kube-apiserver.yaml
kuzo zonke iinkosi zakho:
...
spec:
containers:
- command:
- kube-apiserver
...
- --oidc-ca-file=/etc/kubernetes/pki/oidc-ca.pem
- --oidc-client-id=kubernetes
- --oidc-groups-claim=groups
- --oidc-issuer-url=https://keycloak.example.org/auth/realms/kubernetes
- --oidc-username-claim=email
...
Kwakhona, hlaziya uqwalaselo lwe kubeadm kwiqela ukuze ungaphulukani nezi zicwangciso xa uhlaziya:
kubectl edit -n kube-system configmaps kubeadm-config
...
data:
ClusterConfiguration: |
apiServer:
extraArgs:
oidc-ca-file: /etc/kubernetes/pki/oidc-ca.pem
oidc-client-id: kubernetes
oidc-groups-claim: groups
oidc-issuer-url: https://keycloak.example.org/auth/realms/kubernetes
oidc-username-claim: email
...
Oku kugqiba uqwalaselo lweKubernetes. Ungaphinda la manyathelo kuwo onke amaqela akho e-Kubernetes.
Ugunyaziso lokuqala
Emva kwala manyathelo, uya kuba sele uneqela le-Kubernetes ngogunyaziso olumiselweyo lwe-OIDC. Ekuphela kwento kukuba abasebenzisi bakho abakabinaye umxhasi oqwalaselweyo okanye eyabo ikubeconfig. Ukusombulula le ngxaki, kufuneka uqwalasele unikezelo oluzenzekelayo lwe-kubeconfig kubasebenzisi emva kogunyaziso olunempumelelo.
Ukwenza oku, ungasebenzisa usetyenziso olukhethekileyo lwewebhu olukuvumela ukuba uqinisekise umsebenzisi kwaye emva koko ukhuphele i-kubeconfig esele ilungile. Enye yezona zinto ziluncedo kakhulu
Ukuqwalasela iKuberos, chaza nje ithempleyithi ye kubeconfig kwaye uyiqhube ngezi parameters zilandelayo:
kuberos https://keycloak.example.org/auth/realms/kubernetes kubernetes /cfg/secret /cfg/template
Ngolwazi oluthe vetshe jonga
Kwakhona kunokwenzeka ukusebenzisa
Isiphumo se-kubeconfig sinokujongwa kwiwebhusayithi users[].user.auth-provider.config.id-token
ukusuka kwi-beconfig yakho ukuya kwifomu ekwiwebhusayithi kwaye kwangoko ufumane okushicilelweyo.
Ukumisela i-RBAC
Xa uqwalasela i-RBAC, ungabhekisa kuzo zombini igama lomsebenzisi (indawo name
kuphawu lwe-jwt), kunye neqela ngalinye lomsebenzisi (indawo groups
kuphawu lwe-jwt). Nanku umzekelo wokumisela amalungelo eqela kubernetes-default-namespace-admins
:
kubernetes-default-namespace-admins.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: default-admins
namespace: default
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-default-namespace-admins
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: default-admins
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: kubernetes-default-namespace-admins
Imizekelo emininzi ye-RBAC inokufumaneka kwi
ukuseta i-auth-proxy
Kukho iprojekthi emangalisayo
kwideshboard-proxy.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: kubernetes-dashboard-proxy
spec:
replicas: 1
template:
metadata:
labels:
app: kubernetes-dashboard-proxy
spec:
containers:
- args:
- --listen=0.0.0.0:80
- --discovery-url=https://keycloak.example.org/auth/realms/kubernetes
- --client-id=kubernetes
- --client-secret=<your-client-secret-here>
- --redirection-url=https://kubernetes-dashboard.example.org
- --enable-refresh-tokens=true
- --encryption-key=ooTh6Chei1eefooyovai5ohwienuquoh
- --upstream-url=https://kubernetes-dashboard.kube-system
- --resources=uri=/*
image: keycloak/keycloak-gatekeeper
name: kubernetes-dashboard-proxy
ports:
- containerPort: 80
livenessProbe:
httpGet:
path: /oauth/health
port: 80
initialDelaySeconds: 3
timeoutSeconds: 2
readinessProbe:
httpGet:
path: /oauth/health
port: 80
initialDelaySeconds: 3
timeoutSeconds: 2
---
apiVersion: v1
kind: Service
metadata:
name: kubernetes-dashboard-proxy
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: kubernetes-dashboard-proxy
type: ClusterIP
umthombo: www.habr.com